CVE-2025-33228 – NVIDIA Nsight Systems contains an OS command in... (How to Fix)

Q: What is the severity of CVE-2025-33228?

CVE-2025-33228 has a CVSS score of 7.3 (HIGH). NVIDIA Nsight Systems contains an OS command injection vulnerability in the gfx_hotspot recipe. Attackers can execute arbitrary commands by supplying malicious input to the process_nsys_rep_cli.py script when invoked manually. This affects users who manually run the vulnerable script with untrusted input.

📋 TL;DR

NVIDIA Nsight Systems contains an OS command injection vulnerability in the gfx_hotspot recipe. Attackers can execute arbitrary commands by supplying malicious input to the process_nsys_rep_cli.py script when invoked manually. This affects users who manually run the vulnerable script with untrusted input.

💻 Affected Systems

Products:

NVIDIA Nsight Systems

Versions: All versions prior to 2025.2.1

Operating Systems: Windows, Linux

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when process_nsys_rep_cli.py script is manually invoked with malicious input. Not vulnerable during normal Nsight Systems operation.

📦 What is this software?

Cuda Toolkit by Nvidia

View all CVEs affecting Cuda Toolkit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with code execution, privilege escalation, data tampering, denial of service, and information disclosure.

🟠

Likely Case

Limited code execution in the context of the user running the script, potentially leading to data access and system manipulation.

🟢

If Mitigated

No impact if script is not invoked manually with untrusted input or if proper input validation is implemented.

🌐 Internet-Facing: LOW - Requires manual script execution with malicious input, not typically exposed to internet.

🏢 Internal Only: MEDIUM - Could be exploited by malicious insiders or through compromised accounts if script is used with untrusted data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires manual script execution with crafted input. No authentication bypass needed beyond access to run the script.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.2.1 and later

Vendor Advisory: https://nvidia.custhelp.com/app/answers/detail/a_id/5755

Restart Required: No

Instructions:

1. Download Nsight Systems 2025.2.1 or later from NVIDIA Developer website. 2. Install the update following NVIDIA's installation guide. 3. Verify installation by checking version in Nsight Systems interface.

🔧 Temporary Workarounds

Restrict Script Execution

linux

Limit who can execute the vulnerable script and ensure it's only run with trusted input.

chmod 750 process_nsys_rep_cli.py
sudo chown root:root process_nsys_rep_cli.py

Input Validation

all

Add input validation to sanitize user-supplied strings before processing.

🧯 If You Can't Patch

Avoid manually invoking process_nsys_rep_cli.py with untrusted input
Implement strict access controls on the script and monitor for unauthorized execution

🔍 How to Verify

Check if Vulnerable:

Check Nsight Systems version. If below 2025.2.1 and process_nsys_rep_cli.py exists, system is vulnerable.

Check Version:

nsys --version or check About in Nsight Systems GUI

Verify Fix Applied:

Verify Nsight Systems version is 2025.2.1 or later and test script with safe input to confirm functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution from process_nsys_rep_cli.py
Suspicious arguments passed to Python script

Network Indicators:

None - local exploitation only

SIEM Query:

process_name:"python" AND command_line:"process_nsys_rep_cli.py" AND command_line:("|" OR ";" OR "$" OR "`")

📊 Metadata

CVE ID: CVE-2025-33228

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.02% exploit probability (5.1th percentile)

Published: January 20, 2026

Last Updated: February 2, 2026

🔗 References

https://nvd.nist.gov/vuln/detail/CVE-2025-33228 US Government Resource,VDB Entry
https://nvidia.custhelp.com/app/answers/detail/a_id/5755 Patch,Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2025-33228 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-33228, you might also want to check these: